pam: Make common-account also support unix users.

[matthijs/servers/drsnuggles.git] / etc / pam.d / common-account

diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account
index 963b69665b81883d80b384d4ab534d673ee3bec4..9d8619edfdc269bf39a77030f4cf178daba510d8 100644 (file)
--- a/etc/pam.d/common-account
+++ b/etc/pam.d/common-account
@@ -9,5 +9,11 @@
 # Default was:
 #account       required        pam_unix.so
 #
-# LDAP config based on from http://wiki.debian.org/LDAP/PAM
-account         required        pam_ldap.so
+# pam_unix does general checks based on NSS info, so it also works for ldap
+# users.
+account                required        pam_unix.so
+
+# pam_ldap does additional checks (in particular checking the host ldap
+# attribute) but needs to be ignored when it does not know about a user.
+account         [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \
+                                pam_ldap.so